From be348579397797bdf814c41e3cbd086156f77dd6 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 17 Jun 2015 08:37:02 +0200 Subject: gpg: Print PGP-2 fingerprint instead of all zeroes. * g10/keyid.c (fingerprint_from_pk): Allow PGP-2 fingerprints. * g10/keylist.c (print_fingerprint): Print a warning after a PGP-2 fingerprint. -- Printing all zeroes for a PGP-2 (v3 key) fingerprint has the problem that frontends (or the user) may use that fingerprint to lookup a key and gpg will return all PGP2 keys. They may then show a different PGP-2 key than the one actually used for a signature. This is worse than displaying a weak fingerprint. GnuPG-bug-id: 2000 Signed-off-by: Werner Koch --- g10/keyid.c | 2 +- g10/keylist.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/g10/keyid.c b/g10/keyid.c index ef6ee1c11..83020e96b 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -670,7 +670,7 @@ fingerprint_from_pk( PKT_public_key *pk, byte *array, size_t *ret_len ) if ( pk->version < 4 ) { - if ( is_RSA(pk->pubkey_algo) && opt.flags.allow_weak_digest_algos) + if (is_RSA(pk->pubkey_algo)) { /* RSA in version 3 packets is special. */ gcry_md_hd_t md; diff --git a/g10/keylist.c b/g10/keylist.c index bb19bc30a..457695b68 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -1590,6 +1590,14 @@ print_fingerprint (PKT_public_key *pk, PKT_secret_key *sk, int mode ) putc ('\n', fp); else tty_printf ("\n"); + + if (n==16 && !opt.with_colons && !opt.flags.allow_weak_digest_algos) + { + if (fp) + fprintf (fp, _("WARNING: a PGP-2 fingerprint is not safe\n")); + else + tty_printf (_("WARNING: a PGP-2 fingerprint is not safe\n")); + } } /* Print the serial number of an OpenPGP card if available. */ -- cgit v1.2.3